CAPEC-653

Standard Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: High Severity: High
Use of Known Operating System Credentials

Description

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.

Prerequisites

The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication.

The system/application does not have a sound password policy that is being enforced.

The system/application does not implement an effective password throttling mechanism.

The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target.

Mitigations

Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the network.

Create a strong password policy and ensure that your system enforces this policy.

Ensure users are not reusing username/password combinations for multiple systems, applications, or services.

Do not reuse local administrator account credentials across systems.

Deny remote use of local admin credentials to log into domain systems.

Do not allow accounts to be a local administrator on more than one system.

Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.

Monitor system and domain logs for abnormal credential access.

Skills Required

[Low] Once an adversary obtains a known credential, leveraging it is trivial.